TrueNAS.com Software Systems Company Community Security iX Portal Download
F-Series
F-Series

All-Flash NVMe Performance.

 H-Series
H-Series

Big business performance. Entry level pricing.

 Mini Series
Mini Series

Home Labs, Small Office & SMB Applications.
M-Series
M-Series

All-Flash or Hybrid Enterprise Performance.

 R-Series
R-Series

Single Controller Storage Appliances.
TrueNAS Enterprise Icon
TrueNAS Enterprise

Mission Critical Storage. 24×7 Enterprise Support.
TrueCommand Icon
TrueCommand

Manage Your TrueNAS Fleet All From One Place.

Use Cases

Analytics Backup & Archival Cloud Data Mobility File Sharing
iX-Storj Media & Entertainment Surveillance Veeam Backup Virtualization

Industry

Audio Broadcasting Gaming Healthcare Manufacturing Media & Entertainment
Automotive Education Government MSP Research & AI

Support

Enterprise Support

For customers with active support contracts.
Community Support

For peer-to-peer, open-source support.

Resources

Case Studies Documentation Apps TrueNAS Security FAQ ZFS Overview
TrueNAS Blog Solution Guides Datasheets Software Status Videos TrueCommand Cloud
TrueNAS Community Edition Community Forum Discord TrueNAS GitHub TrueNAS Merch Store
About TrueNAS Awards Careers Contact Us Our Clients Reviews
Contact Icon
Contact an Enterprise Specialist

Speak with an enterprise storage specialist to find the right solutions for your business needs.

 TrueNAS Enterprise Icon
TrueNAS Enterprise

Enterprise-grade storage appliances designed for business and mission-critical environments.

 TrueNAS Community Edition Icon
Download TrueNAS Community Edition

Test Drive TrueNAS in Your Environment.
  1. TrueNAS Security Advisories
  2. /
  3. TrueNAS | Enterprise Security Responses

TrueNAS | Enterprise Security Responses

Component Description Security Reference Severity Security Risk Impacted Version Resolved Version More Info Additional Info
openssh A critical security vulnerability has been discovered in OpenSSH implementations on FreeBSD systems, potentially allowing attackers to execute remote code without authentication. The vulnerability, identified as CVE-2024-7589, affects all supported versions of FreeBSD. CVE-2024-7589 High None CORE-13.0-U5.3 N/A False Positive Link The OpenSSH in TrueNAS is not built with the vulnerable feature enabled. TrueNAS is not vulnerable to this issue.
openssh A security regression (CVE-2024-6387) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. This bug allows remote code execution. CVE-2024-6387 High High CORE-13.0-U5.3 CORE-13.0-U6.2 Link
py39-configobj-5.0.6_1 All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. CVE-2023-26112 Medium Low CORE-13.0-U5.3 Not yet resolved Link Only exploitable by privlidged local user who already has full access to the system.
git-lite-2.34.1 Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround. CVE-2022-39260 High Low CORE-13.0-U5.3 Not yet resolved Link Authorized SSH users are able to exploit this vulnerability, following recommended security configuration to not provide this access mitigates this issue
git-lite-2.34.1 Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. CVE-2022-39253 Medium Low CORE-13.0-U5.3 Not yet resolved Link Authorized SSH users are able to exploit this vulnerability, following recommended security configuration to not provide this access mitigates this issue
git Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. CVE-2023-29007 High Low CORE-13.0-U5.3 Not yet resolved Link Git is not exposed to TrueNAS users in a manner which makes this exploitable.
git Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. CVE-2023-25652 High Low CORE-13.0-U5.3 Not yet resolved Link Git is not exposed to TrueNAS users in a manner which makes this exploitable.
py39-beaker-1.11.0 is vulnerable The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution. CVE-2013-7489 Medium Low CORE-13.0-U5.3 Not yet resolved Link Only exploitable by privlidged local user who already has full access to the system.
minio-2021.12.27.07.23.18_1 MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. CVE-2022-24842 High Critical CORE-13.0-U5.3 Not yet resolved Link Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
minio-2021.12.27.07.23.18_1 MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. CVE-2023-28432 High Critical CORE-13.0-U5.3 Not yet resolved Link Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
minio-2021.12.27.07.23.18_1 Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off` CVE-2023-28434 High Critical CORE-13.0-U5.3 Not yet resolved Link Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
libxml2-2.9.12 An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). CVE-2023-29469 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
libxml2-2.9.12 In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. CVE-2023-28484 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
squashfs-tools-4.3_1 Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow. CVE-2015-4645 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
pixman-0.40.0_1 In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y. CVE-2022-44638 High Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
py39-sentry-sdk-1.4.3 Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule. CVE-2023-28117 Medium False Positive CORE-13.0-U5.3 Not yet resolved Link TrueNAS does not use Sentry SDK with Django so this doesn’t apply.
py39-cryptography-3.3.2 There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. CVE-2023-0286 High Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
py39-cryptography-3.3.2 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. CVE-2023-23931 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
py39-setuptools-57.0.0 Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. CVE-2022-40897 Medium Low CORE-13.0-U5.3 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
TrueNAS middleware A vulnerability involving python deserialization, CVE-2020-22083, was found. CVE-2020-22083 Medium Medium CORE-13.0-U6.2 CORE-13.0-U6.3 Link TrueNAS assessment: exploitable by a local user
TrueNAS iocage A vulnerability involving iocage updates was found. CVE-2020-22083 High High CORE-13.0-U6.2 partial fix in CORE-13.0-U6.3 Link TrueNAS assessment: exploitable if attacker can control local gateway or upstream network.
TrueNAS middleware A vulnerability involving python deserialization, CVE-2020-22083, was found. NAS-132268 Medium Medium CORE-13.3 CORE-13.3-U1 Link TrueNAS assessment: exploitable by a local user
TrueNAS middleware A vulnerability involving iocage updates was found. CVE-2024-11944 High High CORE-13.3 CORE-13.3-U1 Link TrueNAS assessment: exploitable if attacker can control local gateway or upstream network.
TrueNAS iocage A vulnerability involving iocage updates was found. CVE-2024-11946 High High CORE-13.3 partial fix in CORE-13.3-U1 Link TrueNAS assessment: exploitable if attacker can control local gateway or upstream network.
rsync-3.2.7 Heap-buffer overflow in Rsync due to improper checksum length handling CVE-2024-12084 High High CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Information leak via uninitialized stack contents CVE-2024-12085 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Rsync server leaks arbitrary client files CVE-2024-12086 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Path traversal vulnerability in Rsync CVE-2024-12087 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 --safe-links option bypass leads to path traversal CVE-2024-12088 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Race condition in Rsync when handling symbolic links CVE-2024-12747 Medium Medium CORE-13.0 CORE-13.0-U6.6 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Heap-buffer overflow in Rsync due to improper checksum length handling CVE-2024-12084 High High CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Information leak via uninitialized stack contents CVE-2024-12085 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Rsync server leaks arbitrary client files CVE-2024-12086 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Path traversal vulnerability in Rsync CVE-2024-12087 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 --safe-links option bypass leads to path traversal CVE-2024-12088 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
rsync-3.2.7 Race condition in Rsync when handling symbolic links CVE-2024-12747 Medium Medium CORE-13.3 CORE-13.3-U2 Link TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks.
openssh A security regression (CVE-2024-6387) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. This bug allows remote code execution. CVE-2024-6387 High High 24.04.0 24.04.2 Link
github.com/bits-and-blooms/bloom/v3 (v3.0.1) Uncontrolled Search Path Element in GitHub repository bits-and-blooms/bloom prior to 3.3.1. CVE-2023-0247 High Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
github.com/containerd/containerd (1.6.6 & 1.5.7) containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVE-2023-25153 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.6.6 1.5.7) containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. CVE-2023-25173 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.6.6 1.5.7) containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. CVE-2022-23471 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.5.7) containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue. CVE-2022-23648 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.5.7) containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. CVE-2022-31030 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.5.7) The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. CVE-2021-41190 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/containerd/containerd (1.5.7) containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. CVE-2021-43816 Critical Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/minio/console (0.12.5) Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0. CVE-2023-33955 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
k8s.io/apiserver (v0.22.5 & v0.24.2) A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
github.com/coredns/coredns (1.4.0) A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of <service>.<namespace>.svc. CVE-2022-2835 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
github.com/coredns/coredns (1.4.0) A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD. CVE-2022-2837 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
github.com/opencontainers/image-spec (1.0.1) The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. CVE-2021-41190 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. CVE-2023-25809 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. CVE-2023-27561 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. CVE-2023-28642 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.0.2) runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. CVE-2022-29162 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/opencontainers/runc (v1.0.2) runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. CVE-2021-43784 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/prometheus/client_golang (v1.10.0 & v1.11.0 & v1.7.1) client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. CVE-2022-21698 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/rancher/wrangler (v1.0.0) A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions. CVE-2022-31249 Critical Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
github.com/rancher/wrangler (v1.0.0) A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying specially crafted git credentials. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions. CVE-2022-43756 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/text (v0.3.6 & v0.3.7) An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. CVE-2022-32149 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/text (v0.3.6) golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. CVE-2021-38561 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
go.mongodb.org/mongo-driver (v1.4.6) Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0. CVE-2021-20329 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release.
busybox (1:1.30.1-6+b3) BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 High Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
busybox (1:1.30.1-6+b3) Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". CVE-2018-1000500 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
git (1:2.39.2-1~bpo11+1) Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. CVE-2020-5260 High Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
gnupg (2.2.27-2+deb11u2) GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. CVE-2022-3219 Low Low 22.12.4 Cobia 23.10-BETA.1 Link IXassessment : low risk and no fix expected from upstream
gnupg (2.2.27-2+deb11u2) A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. CVE-2022-3515 Critical Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
helm (3.9.4-1) Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers. CVE-2023-25165 Medium Medium 22.12.4 Cobia 23.10-BETA.1 Link Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond
helm (3.9.4-1) Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. CVE-2022-23524 High Medium 22.12.4 Cobia 23.10-BETA.1 Link Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond
helm (3.9.4-1) Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions. CVE-2022-23525 High Medium 22.12.4 Cobia 23.10-BETA.1 Link Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond
helm (3.9.4-1) Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions. CVE-2022-23526 High Medium 22.12.4 Cobia 23.10-BETA.1 Link Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond
openssl (1.1.1t-001+deb11u4) Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. CVE-2023-2650 Medium Low 22.12.4 Cobia 23.10-BETA.1 Link In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.
perl (5.32.1-4+deb11u2) HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
rsyslog (8.2102.0-2+deb11u1) rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron. CVE-2015-3243 Medium Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
busybox (1:1.30.1-6+b3) There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 Critical Low 22.12.4 Cobia 23.10-BETA.1 Link TrueNAS assessment: only exploitable by a privileged user
haproxy (2.6.12-1~bpo11+1) HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. CVE-2023-40225 High Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
perl (5.32.1-4+deb11u2) CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High Low 22.12.4 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
openssl (3.0.9-2) Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. CVE-2023-4807 High False Positive 22.12.4 N/A - False Positive Link Only applicable to Windows operating systems - False positive
samba (2:4.17.11+ix-1) smbd allows client access to unix domain sockets on the file system. CVE-2023-3931 Medium Critical 22.12.4 22.12.4.1 Link Exploitable, action recommended: upgrade to 22.12.4.1
samba (2:4.17.11+ix-1) Samba AD DC password exposure to privileged users and RODCs CVE-2023-4154 High Low 22.12.4 22.12.4.1 Link TrueNAS assessment: only exploitable by a privileged user
samba (2:4.17.11+ix-1) SMB clients can truncate files with read-only permissions CVE-2023-4091 Medium Low 22.12.4 22.12.4.1 Link TrueNAS assessment: only exploitable by a privileged user
samba (2:4.17.11+ix-1) "rpcecho" development server allows Denial of Service via sleep() call on AD DC CVE-2023-42669 Medium Low 22.12.4 22.12.4.1 Link TrueNAS assessment: only exploitable by a privileged user
samba (2:4.17.11+ix-1) Samba AD DC Busy RPC multiple listener DoS CVE-2023-42670 Medium Low 22.12.4 22.12.4.1 Link TrueNAS assessment: only exploitable by a privileged user
k8s.io/apiserver (v0.27.2) A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium Low 23.10.0 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium Low 23.10.0 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
google.golang.org/grpc (v1.40.0) When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. CVE-2023-32731 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Medium False Positive 23.10.0 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
github.com/rclone/rclone (v1.63.0) n Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. CVE-2018-12907 High False Positive 23.10.0 N/A False Positive Link TrueNAS SCALE does not support cloud to cloud sync, not exposed
busybox (1:1.35.0-4+b3) An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 Critical False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 Critical False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 Medium False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2014-9645 Medium False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. CVE-2013-1813 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. CVE-2011-2716 Medium False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 High False Positive 23.10.0 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 High Low 23.10.0 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
haproxy (2.6.12-1) An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. CVE-2023-40225 High Low 23.10.0 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
openssl (3.0.9-2) Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-3817 Medium Low 23.10.0 23.10.1 Link TrueNAS assessment: only exploitable by a privileged user
perl (5.36.0-7) CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High Low 23.10.0 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
perl (5.36.0-7) HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High Low 23.10.0 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
openssl (3.0.9-2) Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. CVE-2023-4807 High False Positive 23.10.0 N/A False Positive Link Only applicable to windows operating systems - False positive
k8s.io/apiserver (v0.27.2) A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium Low 23.10.1 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium Low 23.10.1 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High Low 23.10.1 Not yet resolved Link TrueNAS assessment: minor issue, no advisory.
google.golang.org/grpc (v1.40.0) When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. CVE-2023-32731 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
google.golang.org/protobuf (v1.30, v 1.28 & v1.28.1) Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Medium False Positive 23.10.1 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure
github.com/rclone/rclone (v1.63.0) n Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. CVE-2018-12907 High False Positive 23.10.1 N/A False Positive Link TrueNAS SCALE does not support cloud to cloud sync, not exposed
busybox (1:1.35.0-4+b3) An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 Critical False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 Critical False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 Medium False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2014-9645 Medium False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. CVE-2013-1813 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. CVE-2011-2716 Medium False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 High False Positive 23.10.1 N/A False Positive Link Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted.
busybox (1:1.35.0-4+b3) BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 High Low 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
haproxy (2.6.12-1) An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. CVE-2023-40225 High Low 23.10.1 Not yet resolved Link TrueNAS assessment: only exploitable by a privileged user
haproxy (2.6.12-1) HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. CVE-2023-45539 High False Positive 23.10.1 N/A False Positive Link TrueNAS assessment: system not affected, We have control over the rules that used in matches for HAProxy, and this CVE is only a problem if the rules are intended to match based on the suffix: haproxy: //github BUG/MINOR: h1: do not accept '#' as part of the URI component reported
perl (5.36.0-7) CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High Low 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
perl (5.36.0-7) HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High Low 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
perl (5.36.0-7) In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. CVE-2023-41700 High Low 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
openssl (3.0.12-) Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-5678 Medium Low 23.10.1 Not yet resolved Link [bookworm] - sudo <no-dsa> (Minor issue) TrueNAS assessment: only exploitable by a privileged user
busybox 1:1.35.0-4+b3 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". CVE-2018-1000500 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 High False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 High False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 High False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2014-9645 Low False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. CVE-2013-1813 High False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. CVE-2011-2716 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 Medium False Positive 23.10.2 Link
busybox 1:1.35.0-4+b3 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 Critical False Positive 23.10.2 Link
file 1:5.44-3 Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. CVE-2007-1536 High False Positive 23.10.2 Link
git 1:2.39.2-1.1 The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. CVE-2022-25648 High False Positive 23.10.2 Link
git 1:2.39.2-1.1 Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. CVE-2020-5260 Medium False Positive 23.10.2 Link
github.com/go-git/go-git/v5 v5.9.0 A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. CVE-2023-49568 High False Positive 23.10.2 Link
github.com/go-git/go-git/v5 v5.9.0 A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. CVE-2023-49569 Critical False Positive 23.10.2 Link
github.com/opencontainers/runc v1.1.5 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 High Medium 23.10.2 Dragonfish 24.10 Link Vulnerability is not exposed from base product. Exposure comes from installing a malicious app. Use care when choosing apps.
github.com/rclone/rclone v1.63.0 In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. CVE-2018-12907 Medium Low 23.10.2 Not yet resolved Link
golang.org/x/crypto v0.13.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive 23.10.2 Link
golang.org/x/crypto v0.5.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive 23.10.2 Link
golang.org/x/crypto v0.7.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive 23.10.2 Link
golang.org/x/net v0.10.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 23.10.2 Link
golang.org/x/net v0.10.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 23.10.2 Link
golang.org/x/net v0.15.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 23.10.2 Link
golang.org/x/net v0.7.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 23.10.2 Link
golang.org/x/net v0.7.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 23.10.2 Link
golang.org/x/net v0.7.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 23.10.2 Link
golang.org/x/net v0.7.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 23.10.2 Link
golang.org/x/net v0.7.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 23.10.2 Link
golang.org/x/net v0.7.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 23.10.2 Link
golang.org/x/net v0.8.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 23.10.2 Link
golang.org/x/net v0.8.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 23.10.2 Link
golang.org/x/net v0.8.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 23.10.2 Link
golang.org/x/net v0.8.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 23.10.2 Link
golang.org/x/net v0.8.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 23.10.2 Link
golang.org/x/net v0.8.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium Low 23.10.2 Not yet resolved Link
google.golang.org/grpc v1.40.0 When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 CVE-2023-32731 High False Positive 23.10.2 Link
google.golang.org/grpc v1.40.0 When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 CVE-2023-32731 High False Positive 23.10.2 Link
google.golang.org/grpc v1.40.0 When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 CVE-2023-32731 High False Positive 23.10.2 Link
google.golang.org/protobuf v1.28.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 23.10.2 Link
google.golang.org/protobuf v1.28.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 23.10.2 Link
google.golang.org/protobuf v1.28.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 23.10.2 Link
google.golang.org/protobuf v1.28.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 23.10.2 Link
google.golang.org/protobuf v1.28.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 23.10.2 Link
google.golang.org/protobuf v1.28.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 23.10.2 Link
google.golang.org/protobuf v1.28.1 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 23.10.2 Link
google.golang.org/protobuf v1.28.1 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 23.10.2 Link
google.golang.org/protobuf v1.30.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 23.10.2 Link
google.golang.org/protobuf v1.30.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 23.10.2 Link
google.golang.org/protobuf v1.30.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 23.10.2 Link
google.golang.org/protobuf v1.30.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 23.10.2 Link
google.golang.org/protobuf v1.30.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 23.10.2 Link
google.golang.org/protobuf v1.30.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 23.10.2 Link
haproxy 2.6.12-1 An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. CVE-2023-0056 Medium False Positive 23.10.2 Link
haproxy 2.6.12-1 HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network. CVE-2016-2102 Medium False Positive 23.10.2 Link
haproxy 2.6.12-1 HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. CVE-2023-40225 High False Positive 23.10.2 Link
haproxy 2.6.12-1 HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. CVE-2023-45539 High False Positive 23.10.2 Link
k8s.io/apiserver v0.27.2 A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium False Positive 23.10.2 Link
keepalived 1:2.2.7-1+b2 In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property CVE-2021-44225 Medium False Positive 23.10.2 Link
keepalived 1:2.2.7-1+b2 keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. CVE-2018-19115 High False Positive 23.10.2 Link keepalived not used in proxy mode.
openssl 3.0.11-1~deb12u3 Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. CVE-2023-5363 High False Positive 23.10.2 Link
openssl 3.0.11-1~deb12u3 Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-5678 Medium False Positive 23.10.2 Link
openssl 3.0.11-1~deb12u3 Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-0727 Medium False Positive 23.10.2 Link
openssl 3.0.11-1~deb12u3 Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. CVE-2023-6129 Medium False Positive 23.10.2 Link
perl 5.36.0-7 HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High False Positive 23.10.2 Link
perl 5.36.0-7 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High False Positive 23.10.2 Link
perl 5.36.0-7 In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. CVE-2023-47100 Critical False Positive 23.10.2 Link Perl not used with this regular expression.
busybox 1:1.35.0-4+b3 The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2014-9645 Low False Positive 24.04.0 Link busybox not used for add_probe internally.
busybox 1:1.35.0-4+b3 util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. CVE-2013-1813 High False Positive 24.04.0 Link We don't use busybox for creating directories.
busybox 1:1.35.0-4+b3 The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. CVE-2011-2716 Medium False Positive 24.04.0 Link busybox DHCP not used.
busybox 1:1.35.0-4+b3 Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. CVE-2011-5325 Medium False Positive 24.04.0 Link We don't use busybox for tar.
busybox 1:1.35.0-4+b3 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 Critical False Positive 24.04.0 Link We don't use busybox's ash.
file 1:5.44-3 Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. CVE-2007-1536 High False Positive 24.04.0 Link We don't use file internally.
git 1:2.39.2-1.1 The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. CVE-2022-25648 High False Positive 24.04.0 Link We don't use git fetch.
git 1:2.39.2-1.1 Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. CVE-2020-5260 Medium False Positive 24.04.0 Link We don't use git with credential helpers as part of base system.
google.golang.org/protobuf v1.28.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 24.04.0 Link
google.golang.org/protobuf v1.28.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 24.04.0 Link Protobuf use is internal; no opportunity for authenticated attacker to reach internals.
google.golang.org/protobuf v1.30.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 24.04.0 Link
google.golang.org/protobuf v1.30.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 24.04.0 Link Protobuf use is internal; no opportunity for authenticated attacker to reach internals.
google.golang.org/protobuf v1.31.0 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Low False Positive 24.04.0 Link
google.golang.org/protobuf v1.31.0 protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. CVE-2015-5237 Medium False Positive 24.04.0 Link Protobuf use is internal; no opportunity for authenticated attacker to reach internals.
keepalived 1:2.2.7-1+b2 In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property CVE-2021-44225 Medium False Positive 24.04.0 Link
keepalived 1:2.2.7-1+b2 keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. CVE-2018-19115 High False Positive 24.04.0 Link iX Analysis: We don't use keepalived in proxy mode, so this issue is irrelevant.
openssl 3.0.11-1~deb12u3 Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. CVE-2023-5363 High False Positive 24.04.0 Link Changing IV size is not present in current codebase.
openssl 3.0.11-1~deb12u3 Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-5678 Medium False Positive 24.04.0 Link Openssl not used this way.
openssl 3.0.11-1~deb12u3 Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. CVE-2023-6129 Medium False Positive 24.04.0 Link System not PowerPC based.
perl 5.36.0-7+deb12u1 HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. CVE-2023-31486 High False Positive 24.04.0 Link HTTP::Tiny not used this way in codebase.
perl 5.36.0-7+deb12u1 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High False Positive 24.04.0 Link CPAN not used internally.
perl 5.36.0-7+deb12u1 In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. CVE-2023-47100 Critical False Positive 24.04.0 Link We don't use vulnerable regexp in perl.
github.com/go-git/go-git/v5 v5.9.0 A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. CVE-2023-49568 High False Positive 24.04.0 Link artifact
github.com/go-git/go-git/v5 v5.9.0 A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. CVE-2023-49569 Critical False Positive 24.04.0 Link
github.com/rclone/rclone v1.63.0 In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. CVE-2018-12907 Medium False Positive 24.04.0 Link Opened NAS-127131
golang.org/x/crypto v0.13.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive 24.04.0 Link We do not use Go-based ssh internally.
golang.org/x/crypto v0.7.0 The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Medium False Positive 24.04.0 Link We do not use Go-based ssh internally.
golang.org/x/net v0.10.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 24.04.0 Link Not serving HTTP via go code.
golang.org/x/net v0.10.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 24.04.0 Link We don't generate HTML from this package.
golang.org/x/net v0.15.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 24.04.0 Link Not serving HTTP via go code.
golang.org/x/net v0.7.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 24.04.0 Link Not serving HTTP via go code.
golang.org/x/net v0.7.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 24.04.0 Link We don't generate HTML from this package.
golang.org/x/net v0.8.0 A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. CVE-2023-39325 High False Positive 24.04.0 Link Not serving HTTP via go code.
golang.org/x/net v0.8.0 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Medium False Positive 24.04.0 Link We don't generate HTML from this package.
google.golang.org/grpc v1.40.0 When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 CVE-2023-32731 High False Positive 24.04.0 Link gRPC only used internally.
k8s.io/apiserver v0.29.0 A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. CVE-2020-8561 Medium False Positive 24.04.0 Link Not used.
github.com/mholt/archiver/v3 v3.5.1 A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library. CVE-2024-0406 Unknown False Positive 24.04.0 Link archiver not used to unpack arbitrary files.
busybox 1:1.35.0-4+b3 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 Medium False Positive 24.04.0 Link We don't use busybox for netstat.
busybox 1:1.35.0-4+b3 An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. CVE-2019-5747 Medium False Positive 24.04.0 Link We don't use busybox DHCP
busybox 1:1.35.0-4+b3 Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". CVE-2018-1000500 Medium False Positive 24.04.0 Link We don't use busybox wget
busybox 1:1.35.0-4+b3 BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. CVE-2018-1000517 High False Positive 24.04.0 Link We don't use busybox's wget
busybox 1:1.35.0-4+b3 An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. CVE-2018-20679 Medium False Positive 24.04.0 Link We don't use busybox dhcp
busybox 1:1.35.0-4+b3 In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2017-16544 Medium False Positive 24.04.0 Link We don't use busybox shell.
busybox 1:1.35.0-4+b3 Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2147 Medium False Positive 24.04.0 Link We don't use busybox DHCP.
busybox 1:1.35.0-4+b3 Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2016-2148 High False Positive 24.04.0 Link We don't use busybox DHCP
busybox 1:1.35.0-4+b3 The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. CVE-2016-6301 High False Positive 24.04.0 Link We don't use busybox NTP
busybox 1:1.35.0-4+b3 huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. CVE-2015-9261 Medium False Positive 24.04.0 Link busybox not used for unzip.
github.com/opencontainers/runc v1.1.5 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 High Medium 24.04.2 Link Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps.
github.com/opencontainers/runc v1.1.5 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 High Medium 24.04.0 Link Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps.
github.com/opencontainers/runc v1.1.6 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 High Medium 24.04.0 Link Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps.
openssl 3.0.11-1~deb12u3 Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-0727 Medium False Positive 24.04.0 Link We don't process arbitrary PKCS11 files.
google.golang.org/protobuf v1.31.0 The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. CVE-2024-24786 Unknown False Positive 24.04.0 Link protojson.Unmarshall not used to process such invalid JSON.
google.golang.org/protobuf v1.28.0 The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. CVE-2024-24786 Unknown False Positive 24.04.0 Link protojson.Unmarshall not used to process such invalid JSON.
google.golang.org/protobuf v1.30.0 The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. CVE-2024-24786 Unknown False Positive 24.04.0 Link protojson.Unmarshall not used to process such invalid JSON.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. CVE-2022-36648 Critical False Positive 24.10.0 Link QEMU guests are outside of security scope. Never run untrusted VMs or applications on your TrueNAS.
busybox 1:1.35.0-4+b3 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 Critical False Positive 24.10.0 Link TrueNAS does not make use of busybox in a way that can be reached by this exploit.
zlib1g 1:1.2.13.dfsg-1 MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. CVE-2023-45853 Critical False Positive 24.10.0 Link TrueNAS doesn't use MiniZip in an exploitable way.
stdlib go1.21.6 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 Critical False Positive 24.10.0 Link TrueNAS doesn't use Go's stdlib for IPv6 IP address checks.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. CVE-2024-32002 Critical False Positive 24.10.0 Link TrueNAS doesn't use git internally in an exploitable way for this vulnerability.
krb5-user 1.20.1-2+deb12u1 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVE-2024-37371 Critical False Positive 24.10.0 Link TrueNAS isn't acting as a kerberos server.
libarchive13 3.6.2-1+deb12u1 Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c. CVE-2024-37407 Critical False Positive 24.10.0 Link libarchive is not used on untrusted files.
wget 1.21.3-1+b2 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. CVE-2024-38428 Critical False Positive 24.10.0 Link wget is not used on untrusted URLs.
keepalived 1:2.2.7-1+b2 In the vrrp_ipsets_handler handler (fglobal_parser.c) of keepalived through 2.3.1, an integer overflow can occur. NOTE: this CVE Record might not be worthwhile because an empty ipset name must be configured by the user. CVE-2024-41184 Critical False Positive 24.10.0 Link TrueNAS is not configured in mode needed for this exploit.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 Critical False Positive 24.10.0 Link Not a 32-bit platform.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 Critical False Positive 24.10.0 Link Not a 32-bit platform.
libssl3 3.0.13-1~deb12u2 Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 Critical False Positive 24.10.0 Link TrueNAS doesn't use NPN. FIPS is not affected.
libnss3 2:3.87.1-1 A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. CVE-2024-6602 Critical False Positive 24.10.0 Link Firefox and Thunderbird not present.
gitpython 3.1.30 GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments GHSA-pr76-5cm5-w9cj Critical False Positive 24.10.0 Link TrueNAS doesn't use GitPython with untrusted git repos.
github.com/docker/docker v27.0.3+incompatible Authz zero length regression GHSA-v23v-6jw2-98fq Critical False Positive 24.10.0 Link Do not run untrusted applications on your TrueNAS system.
python3-dnspython 2.3.0-1 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." CVE-2008-1447 High False Positive 24.10.0 Link TrueNAS does not use dnspython for resolution.
libopenjp2-7 2.5.0-2 A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. CVE-2021-3575 High False Positive 24.10.0 Link TrueNAS does not use libopenjp for processing untrusted images.
busybox 1:1.35.0-4+b3 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 High False Positive 24.10.0 Link TrueNAS does not use BusyBox to run netstat.
firmware-amd-graphics 20240709-2~bpo12+1 Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2022-38076 High False Positive 24.10.0 Link WiFi firmware not used in TrueNAS.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVE-2022-3872 High False Positive 24.10.0 Link Do not run untrusted guest VMs.
libgfapi0 10.3-5 In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. CVE-2022-48340 High False Positive 24.10.0 Link Gluster FS not used internally.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. CVE-2023-1386 High False Positive 24.10.0 Link Do not run untrusted guest VMs.
libharfbuzz0b 6.0.0+dfsg-3 hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. CVE-2023-25193 High False Positive 24.10.0 Link TrueNAS is not using harfbuzz to display attacker chosen strings.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. CVE-2023-25652 High False Positive 24.10.0 Link TrueNAS doesn't run git apply internally.
vim-common 2:9.0.1378-2 Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. CVE-2023-2610 High False Positive 24.10.0 Link
dnsmasq-base 2.89-1 An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. CVE-2023-28450 High False Positive 24.10.0 Link dnsmasq is not used in a vulnerable way.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. CVE-2023-29007 High False Positive 24.10.0 Link TrueNAS does not use git on untrusted repos.
python3-dnspython 2.3.0-1 eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. CVE-2023-29483 High False Positive 24.10.0 Link TrueNAS does not use dnspython for arbitrary DNS resolution
libldap-2.5-0 2.5.13+dfsg-5 A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. CVE-2023-2953 High Low 24.10.0 Link iX considers risk to be low. There are no known exploits of this null pointer bug.
dmidecode 3.4-1 Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. CVE-2023-30630 High False Positive 24.10.0 Link dmidecode is not used in a vulnerable way.
amd64-microcode 3.20230808.1.1~deb12u1 Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. CVE-2023-31315 High False Positive 24.10.0 Link No untrusted code with ring0 access.
libperl5.36 5.36.0-7+deb12u1 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 High False Positive 24.10.0 Link CPAN is not used in a vulnerable way.
sysstat 12.6.1-1 sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. CVE-2023-33204 High False Positive 24.10.0 Link sysstat is not used in a vulnerable way.
truenas-sssd 2.9.5-2 A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. CVE-2023-3758 High False Positive 24.10.0 Link Race condition that requires non-default configuration.
busybox 1:1.35.0-4+b3 An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. CVE-2023-39810 High False Positive 24.10.0 Link Busybox not used for CPIO
shim-unsigned 15.7-1 A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. CVE-2023-40547 High False Positive 24.10.0 Link Shim not used for http-based booting.
shim-unsigned 15.7-1 A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. CVE-2023-40548 High False Positive 24.10.0 Link 32-bit platform.
sudo 1.9.13p3-1+deb12u1 Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 High Low 24.10.0 Link Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS.
intel-microcode 3.20240514.1~deb12u1 Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-42667 High Low 24.10.0 Link Exploit requires local authenticated access and specific Intel CPU
python3-urllib3 1.26.12-1 urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. CVE-2023-43804 High False Positive 24.10.0 Link Cookies aren't used in the vulenrable fashion in TrueNAS.
nginx 1.22.1-9 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 High Low 24.10.0 Link Do not expost your TrueNAS HTTP ports to the internet.
ovmf 2022.11-6+deb12u1 EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. CVE-2023-45236 High False Positive 24.10.0 Link VM exploit: Do not run untrusted VMs on your TrueNAS.
ovmf 2022.11-6+deb12u1 EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. CVE-2023-45237 High False Positive 24.10.0 Link VM exploit: Do not run untrusted VMs on your TrueNAS.
stdlib go1.21.6 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 High False Positive 24.10.0 Link Go's stdlib not used for serving HTTP.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. CVE-2023-4738 High False Positive 24.10.0 Link
vim-common 2:9.0.1378-2 Use After Free in GitHub repository vim/vim prior to 9.0.1858. CVE-2023-4752 High False Positive 24.10.0 Link
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. CVE-2023-4781 High False Positive 24.10.0 Link
python3-cryptography 38.0.4-3 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. CVE-2023-49083 High False Positive 24.10.0 Link PKCS7 not used internally.
dnsmasq-base 2.89-1 Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 High False Positive 24.10.0 Link dnsmasq not used in a way that this exploit can reach.
python3-cryptography 38.0.4-3 A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 High False Positive 24.10.0 Link Not serving TLS via this code.
p7zip 16.02+dfsg-8 The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. CVE-2023-52168 High False Positive 24.10.0 Link p7zip not used internally.
libtiff6 4.5.0-6+deb12u1 An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. CVE-2023-52355 High False Positive 24.10.0 Link libtiff not used internally.
libtiff6 4.5.0-6+deb12u1 A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. CVE-2023-52356 High False Positive 24.10.0 Link libtiff not used internally.
libexpat1 2.5.0-1 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 High False Positive 24.10.0 Link Unreachable denial of service.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. CVE-2023-5344 High False Positive 24.10.0 Link
libsqlite3-0 3.40.1-2 A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999. CVE-2023-7104 High False Positive 24.10.0 Link Untrusted code cannot reach sqlite calls.
libpython3.11 3.11.2-6+deb12u2 A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. CVE-2024-0397 High Low 24.10.0 Link No exploits known beyond denial of service.
libnss3 2:3.87.1-1 An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2024-0743 High False Positive 24.10.0 Link Firefox and Thunderbird not included in TrueNAS.
bind9-dnsutils 1:9.18.24-1 A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-0760 High False Positive 24.10.0 Link TrueNAS is not serving DNS.
bind9-dnsutils 1:9.18.24-1 Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 High False Positive 24.10.0 Link TrueNAS is not using bind9 for cachinng results.
bind9-dnsutils 1:9.18.24-1 If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 High False Positive 24.10.0 Link TrueNAS is not using bind9 to cache results.
vim-common 2:9.0.1378-2 Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 High False Positive 24.10.0 Link
curl 7.88.1-10+deb12u5 When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 High False Positive 24.10.0 Link TrueNAS does not use libcurl in a vulnerable way.
stdlib go1.21.6 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. CVE-2024-24784 High False Positive 24.10.0 Link TrueNAS does not use ParseAddressList
stdlib go1.21.6 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. CVE-2024-24791 High False Positive 24.10.0 Link TrueNAS is not using net/http client.
intel-microcode 3.20240514.1~deb12u1 Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-24853 High False Positive 24.10.0 Link Requires local privileged access.
libxml2 2.9.14+dfsg-1.3~deb12u1 An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. CVE-2024-25062 High False Positive 24.10.0 Link TrueNAS is not processing XML from attackers.
python3-cryptography 38.0.4-3 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. CVE-2024-26130 High False Positive 24.10.0 Link TrueNAS does not use cryptography package in a vulnerable way.
krb5-user 1.20.1-2+deb12u1 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. CVE-2024-26461 High Low 24.10.0 Link Potential memory leak; no security implications
python3-truenas-ipaclient 4.12.1-2 A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule. CVE-2024-2698 High False Positive 24.10.0 Link This only applies to FreeIPA servers. TrueNAS acts only as a client.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 High False Positive 24.10.0 Link Don't run untrusted guests.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 High False Positive 24.10.0 Link Do not run untrusted guest VMs.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 High False Positive 24.10.0 Link Do not run untrusted guest VMs.
python3-truenas-ipaclient 4.12.1-2 A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password). CVE-2024-3183 High False Positive 24.10.0 Link
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. CVE-2024-32004 High False Positive 24.10.0 Link Git not used with untrusted repositories.
git 1:2.39.2-1.1 Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. CVE-2024-32465 High False Positive 24.10.0 Link Git not used with untrusted repos.
libunbound8 1.17.1-2+deb12u2 The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. CVE-2024-33655 High False Positive 24.10.0 Link DNS resolution not used in vulnerable fashion.
stdlib go1.21.12 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. CVE-2024-34156 High False Positive 24.10.0 Link Decode not used.
stdlib go1.21.12 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. CVE-2024-34158 High False Positive 24.10.0 Link Build time issue.
krb5-user 1.20.1-2+deb12u1 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37370 High Low 24.10.0 Link No proof-of-concepts exist at this time.
libpython3.11 3.11.2-6+deb12u2 The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. CVE-2024-4032 High False Positive 24.10.0 Link Address typing not relied upon for security issues.
bind9-dnsutils 1:9.18.24-1 Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-4076 High False Positive 24.10.0 Link Assertion failure won't cause system issue.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. CVE-2024-4467 High False Positive 24.10.0 Link Don't use untrusted QEMU images.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 High False Positive 24.10.0 Link TrueNAS doesn't use libexpat on untrusted XML.
liboath0 2.6.7-3.1 pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. CVE-2024-47191 High False Positive 24.10.0 Link TrueNAS does not use vulnerable PAM config required for this vulnerability.
libarchive13 3.6.2-1+deb12u1 execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. CVE-2024-48957 High False Positive 24.10.0 Link libarchive not used for audio.
libarchive13 3.6.2-1+deb12u1 execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. CVE-2024-48958 High False Positive 24.10.0 Link libarchive not used for RAR
libssl3 3.0.13-1~deb12u2 Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-6119 High False Positive 24.10.0 Link libssl not used for TLS client certificate checking
libpython3.11 3.11.2-6+deb12u2 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. CVE-2024-6232 High False Positive 24.10.0 Link libpython not used with regular expressions in tar file processing.
python3-pkg-resources 66.1.1-1 A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 High False Positive 24.10.0 Link setuptools not used at runtime
qemu-block-extra 1:7.2+dfsg-7+deb12u6 CVE-2024-6519 High False Positive 24.10.0 Link QEMU not used for LSI HBA emulation.
libnss3 2:3.87.1-1 When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. CVE-2024-6609 High False Positive 24.10.0 Link Firefox and Thunderbird not available on system.
libgtk-3-0 3.24.38-2~deb12u1 A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. CVE-2024-6655 High False Positive 24.10.0 Link GTK applications not reachable from TrueNAS internals.
libtiff6 4.5.0-6+deb12u1 A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. CVE-2024-7006 High False Positive 24.10.0 Link libtiff not exposed to forced memory failures
libnbd0 1.14.2-1 A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. CVE-2024-7383 High False Positive 24.10.0 Link libnbd not used in vulnerable fashion
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. CVE-2024-7409 High False Positive 24.10.0 Link qemu not used in vulnerable fashion
libpython3.11 3.11.2-6+deb12u2 There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. CVE-2024-7592 High False Positive 24.10.0 Link CPython not used in vulnerable fashion.
gitpython 3.1.30 Untrusted search path under some conditions on Windows allows arbitrary code execution GHSA-2mqj-m65w-jghx High False Positive 24.10.0 Link Windows vulnerability.
pillow 9.4.0 Arbitrary Code Execution in Pillow GHSA-3f63-hfp8-52jq High False Positive 24.10.0 Link Pillow code not reachable for arbitrary images.
cryptography 38.0.4 Python Cryptography package vulnerable to Bleichenbacher timing oracle attack GHSA-3ww4-gg4f-jr7f High False Positive 24.10.0 Link Don't use RSA keys going forward. TrueNAS does not choose RSA for crypto keys.
pillow 9.4.0 Bundled libwebp in Pillow vulnerable GHSA-56pw-mpj4-fxww High False Positive 24.10.0 Link Pollow code not reachable for untrusted images.
aiohttp 3.8.5 aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests GHSA-5m98-qgg9-wh84 High False Positive 24.10.0 Link aiohttp not used for arbitrary POST requesrts.
cryptography 38.0.4 cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override GHSA-6vqw-3v5j-54x4 High False Positive 24.10.0 Link cryptography not called with unmatching certs and keys.
pillow 9.4.0 Pillow Denial of Service vulnerability GHSA-8ghj-p4vj-mr35 High False Positive 24.10.0 Link Pillow not used for arbitrary image processing.
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 otelgrpc DoS vulnerability due to unbound cardinality metrics GHSA-8pgv-569h-w5rw High False Positive 24.10.0 Link DoS not reachable in TrueNAS code.
asyncssh 2.13.2 AsyncSSH Rogue Session Attack GHSA-c35q-ffpf-5qpm High False Positive 24.10.0 Link asyncssh not used in vulnerable fashion
setuptools 66.1.1 setuptools vulnerable to Command Injection via package URL GHSA-cx63-2mw6-8hw5 High False Positive 24.10.0 Link setuptools not used for untrusted packages.
pycryptodomex 3.11.0 PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption GHSA-j225-cvw7-qrx7 High False Positive 24.10.0 Link OAEP decrytption not used internally in TrueNAS.
pillow 9.4.0 libwebp: OOB write in BuildHuffmanTable GHSA-j7hp-h8jx-5ppr High False Positive 24.10.0 Link Pillow not used for untrusted image processing.
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability in the command line interface GHSA-jrwr-5x3p-hvc3 High False Positive 24.10.0 Link markdown not used in vulnerable fashion.
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability GHSA-vrjv-mxr7-vjf8 High False Positive 24.10.0 Link markdown not used in vulnerable fashion.
gitpython 3.1.30 GitPython untrusted search path on Windows systems leading to arbitrary code execution GHSA-wfm5-v35h-vwf4 High False Positive 24.10.0 Link Windows vulnerability.
cryptography 38.0.4 Vulnerable OpenSSL included in cryptography wheels GHSA-x4qr-2fvf-3mr5 High False Positive 24.10.0 Link Not building from from supplied wheels.
certifi 2022.9.24 Removal of e-Tugra root certificate GHSA-xqr8-7jwr-rhp7 High False Positive 24.10.0 Link External certificate issue.
stdlib go1.21.6 When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. CVE-2023-45289 Unknown False Positive 24.10.0 Link Product does not follow HTTP redirects.
stdlib go1.21.6 When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. CVE-2023-45290 Unknown False Positive 24.10.0 Link Go stdlib not used for form processing.
libncurses6 6.4-4 ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c. CVE-2023-45918 Unknown False Positive 24.10.0 Link ncurses not used for basic operations.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. CVE-2023-46841 Unknown False Positive 24.10.0 Link Don't run untrusted guests.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. CVE-2023-46842 Unknown False Positive 24.10.0 Link Don't run untrusted guests.
dnsmasq-base 2.89-1 The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 Unknown False Positive 24.10.0 Link dnsmasq not used for DNSSEC in TrueNAS
libnss3 2:3.87.1-1 NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2023-5388 Unknown False Positive 24.10.0 Link Firefox and Thunderbird not available in TrueNAS.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. CVE-2024-2193 Unknown False Positive 24.10.0 Link Do not run untrusted guest VMs.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 CVE-2024-2201 Unknown False Positive 24.10.0 Link DO not run untrusted guest VMs.
stdlib go1.21.6 Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. CVE-2024-24783 Unknown False Positive 24.10.0 Link Go stdlib not used for certificate verification.
stdlib go1.21.6 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. CVE-2024-24785 Unknown False Positive 24.10.0 Link go stdlib not used to parse untrusted JSON
libssl3 3.0.13-1~deb12u2 Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. CVE-2024-2511 Unknown False Positive 24.10.0 Link Requires non-default TLS server config.
iperf3 3.12-1+deb12u1 iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. CVE-2024-26306 Unknown False Positive 24.10.0 Link iperf3 server not used.
krb5-user 1.20.1-2+deb12u1 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. CVE-2024-26458 Unknown False Positive 24.10.0 Link Memory leak
krb5-user 1.20.1-2+deb12u1 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. CVE-2024-26462 Unknown False Positive 24.10.0 Link Memory leak.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html CVE-2024-31142 Unknown False Positive 24.10.0 Link Do not run untrusted guest VMs.
libclang-cpp14 1:14.0.6-12 LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production." CVE-2024-31852 Unknown False Positive 24.10.0 Link ARM cpu only.
stdlib go1.21.12 Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. CVE-2024-34155 Unknown False Positive 24.10.0 Link Build-time problem only.
libopenipmi0 2.0.33-1+b1 OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or code execution. CVE-2024-42934 Unknown False Positive 24.10.0 Link Simulator not used.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVE-2024-45817 Unknown False Positive 24.10.0 Link Do not run untrusted VM guests in TrueNAS.
libssl3 3.0.13-1~deb12u2 CVE-2024-4741 Unknown False Positive 24.10.0 Link Vulnerable code not used in TrueNAS
qemu-block-extra 1:7.2+dfsg-7+deb12u6 CVE-2024-7730 Unknown False Positive 24.10.0 Link Do not run untrusted VM guests.
libpython3.11 3.11.2-6+deb12u2 There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. CVE-2024-8088 Unknown False Positive 24.10.0 Link zipfile code not used to parse untrusted zip files.
libssl3 3.0.13-1~deb12u2 Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low. In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-9143 Unknown False Positive 24.10.0 Link libssl not used for explicit EC curves.
busybox 1:1.35.0-4+b3 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 critical False Positive 24.10.2 Link TrueNAS does not make use of busybox in a way that can be reached by this exploit.
zlib1g 1:1.2.13.dfsg-1 MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. CVE-2023-45853 critical False Positive 24.10.2 Link TrueNAS doesn't use MiniZip in an exploitable way.
rsync 3.2.7-1 A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. CVE-2024-12084 critical False Positive 24.10.2 Link rsync is not used in daemon mode within TrueNAS SCALE.
stdlib go1.21.6 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 critical False Positive 24.10.2 Link TrueNAS doesn't use Go's stdlib for IPv6 IP address checks.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. CVE-2024-32002 critical False Positive 24.10.2 Link TrueNAS doesn't use git internally in an exploitable way for this vulnerability.
krb5-user 1.20.1-2+deb12u1 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVE-2024-37371 critical False Positive 24.10.2 Link TrueNAS isn't acting as a kerberos server.
wget 1.21.3-1+b2 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. CVE-2024-38428 critical False Positive 24.10.2 Link wget is not used on untrusted URLs.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 critical False Positive 24.10.2 Link Not a 32-bit platform.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 critical False Positive 24.10.2 Link Not a 32-bit platform.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10. CVE-2024-47538 critical False Positive 24.10.2 Link Qemu dependency.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10. CVE-2024-47600 critical False Positive 24.10.2 Link Qemu dependency.
libgstreamer1.0-0 1.22.0-2 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. CVE-2024-47606 critical False Positive 24.10.2 Link Qemu dependency.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10. CVE-2024-47607 critical False Positive 24.10.2 Link Qemu dependency.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10. CVE-2024-47615 critical False Positive 24.10.2 Link Qemu dependency.
libglib2.0-0 2.74.6-2+deb12u3 gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. CVE-2024-52533 critical False Positive 24.10.2 Link SOCKS4 not being used.
libssl3 3.0.13-1~deb12u2 Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 critical False Positive 24.10.2 Link TrueNAS doesn't use NPN. FIPS is not affected.
libnss3 2:3.87.1-1 A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. CVE-2024-6602 critical False Positive 24.10.2 Link Firefox and Thunderbird not present.
pillow 9.4.0 Arbitrary Code Execution in Pillow GHSA-3f63-hfp8-52jq critical False Positive 24.10.2 Link Pillow code not reachable for arbitrary images.
gitpython 3.1.30 GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments GHSA-pr76-5cm5-w9cj critical False Positive 24.10.2 Link TrueNAS doesn't use GitPython with untrusted git repos.
github.com/docker/docker v27.0.3+incompatible Authz zero length regression GHSA-v23v-6jw2-98fq critical False Positive 24.10.2 Link Do not run untrusted applications on your TrueNAS system.
golang.org/x/crypto v0.17.0 Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto GHSA-v778-237x-gjrc critical False Positive 24.10.2 Link Functions not in use.
python3-rsa 4.8-1 It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. CVE-2020-25658 high False Positive 24.10.2 Link Python-rsa not in use.
libopenjp2-7 2.5.0-2 A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. CVE-2021-3575 high False Positive 24.10.2 Link TrueNAS does not use libopenjp for processing untrusted images.
firmware-amd-graphics 20240709-2~bpo12+1 Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-27635 high False Positive 24.10.2 Link Wifi not used.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVE-2022-3872 high False Positive 24.10.2 Link Do not run untrusted guest VMs.
firmware-amd-graphics 20240709-2~bpo12+1 Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-40964 high False Positive 24.10.2 Link Wifi not used.
firmware-amd-graphics 20240709-2~bpo12+1 Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-46329 high False Positive 24.10.2 Link Wifi not used.
libgfapi0 10.3-5 In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. CVE-2022-48340 high False Positive 24.10.2 Link Gluster FS not used internally.
libxml2 2.9.14+dfsg-1.3~deb12u1 xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. CVE-2022-49043 high False Positive 24.10.2 Link Qemu dependency.
libharfbuzz0b 6.0.0+dfsg-3 hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. CVE-2023-25193 high False Positive 24.10.2 Link TrueNAS is not using harfbuzz to display attacker chosen strings.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. CVE-2023-25652 high False Positive 24.10.2 Link TrueNAS doesn't run git apply internally.
vim-common 2:9.0.1378-2 Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. CVE-2023-2610 high False Positive 24.10.2 Link Only vulnerable if untrusted file is run in script mode.
dnsmasq-base 2.89-1 An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. CVE-2023-28450 high False Positive 24.10.2 Link dnsmasq is not used in a vulnerable way.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. CVE-2023-29007 high False Positive 24.10.2 Link TrueNAS does not use git on untrusted repos.
python3-dnspython 2.3.0-1 eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. CVE-2023-29483 high False Positive 24.10.2 Link TrueNAS does not use dnspython for arbitrary DNS resolution
libldap-2.5-0 2.5.13+dfsg-5 A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. CVE-2023-2953 high Low 24.10.2 Link iX considers risk to be low. There are no known exploits of this null pointer bug.
amd64-microcode 3.20230808.1.1~deb12u1 Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. CVE-2023-31315 high False Positive 24.10.2 Link No untrusted code with ring0 access.
libperl5.36 5.36.0-7+deb12u1 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 high False Positive 24.10.2 Link CPAN is not used in a vulnerable way.
sysstat 12.6.1-1 sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. CVE-2023-33204 high False Positive 24.10.2 Link sysstat is not used in a vulnerable way.
truenas-sssd 2.9.5-2 A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. CVE-2023-3758 high False Positive 24.10.2 Link Race condition that requires non-default configuration.
busybox 1:1.35.0-4+b3 An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. CVE-2023-39810 high False Positive 24.10.2 Link Busybox not used for CPIO
shim-unsigned 15.7-1 A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. CVE-2023-40547 high False Positive 24.10.2 Link Shim not used for http-based booting.
shim-unsigned 15.7-1 A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. CVE-2023-40548 high False Positive 24.10.2 Link 32-bit platform.
sudo 1.9.13p3-1+deb12u1 Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 high Low 24.10.2 Link Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS.
intel-microcode 3.20240514.1~deb12u1 Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-42667 high Low 24.10.2 Link Exploit requires local authenticated access and specific Intel CPU
nginx 1.22.1-9 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 high Low 24.10.2 Link Do not expost your TrueNAS HTTP ports to the internet.
stdlib go1.21.6 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 high False Positive 24.10.2 Link Go's stdlib not used for serving HTTP.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. CVE-2023-4738 high False Positive 24.10.2 Link Requires obscure vim use. No known exploit.
vim-common 2:9.0.1378-2 Use After Free in GitHub repository vim/vim prior to 9.0.1858. CVE-2023-4752 high False Positive 24.10.2 Link Requires vim use; no escalation
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. CVE-2023-4781 high False Positive 24.10.2 Link Requires vim use; no escalation
dnsmasq-base 2.89-1 Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 high False Positive 24.10.2 Link dnsmasq not used in a way that this exploit can reach.
python3-cryptography 38.0.4-3 A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. CVE-2023-50782 high False Positive 24.10.2 Link Not serving TLS via this code.
p7zip 16.02+dfsg-8 The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. CVE-2023-52168 high False Positive 24.10.2 Link p7zip not used internally.
libtiff6 4.5.0-6+deb12u1 An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. CVE-2023-52355 high False Positive 24.10.2 Link libtiff not used internally.
libtiff6 4.5.0-6+deb12u1 A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. CVE-2023-52356 high False Positive 24.10.2 Link libtiff not used internally.
libexpat1 2.5.0-1 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 high False Positive 24.10.2 Link Unreachable denial of service.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. CVE-2023-5344 high False Positive 24.10.2 Link Requires vim use; no escalation
libnss3 2:3.87.1-1 An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2024-0743 high False Positive 24.10.2 Link Firefox and Thunderbird not included in TrueNAS.
bind9-dnsutils 1:9.18.24-1 A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-0760 high False Positive 24.10.2 Link TrueNAS is not serving DNS.
rsync 3.2.7-1 A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. CVE-2024-12085 high False Positive 24.10.2 Link Rsync not used in daemon mode.
bind9-dnsutils 1:9.18.24-1 Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 high False Positive 24.10.2 Link TrueNAS is not using bind9 for cachinng results.
bind9-dnsutils 1:9.18.24-1 If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 high False Positive 24.10.2 Link TrueNAS is not using bind9 to cache results.
libarchive13 3.6.2-1+deb12u1 Windows libarchive Remote Code Execution Vulnerability CVE-2024-20696 high False Positive 24.10.2 Link No windows involvement.
intel-microcode 3.20240514.1~deb12u1 Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-21820 high False Positive 24.10.2 Link Requires privileged access.
vim-common 2:9.0.1378-2 Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 high False Positive 24.10.2 Link Requires vim use; no escalation
intel-microcode 3.20240514.1~deb12u1 Improper conditions check in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-23918 high False Positive 24.10.2 Link Requires privileged access.
curl 7.88.1-10+deb12u5 When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 high False Positive 24.10.2 Link TrueNAS does not use libcurl in a vulnerable way.
stdlib go1.21.6 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. CVE-2024-24784 high False Positive 24.10.2 Link TrueNAS does not use ParseAddressList
stdlib go1.21.6 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. CVE-2024-24791 high False Positive 24.10.2 Link TrueNAS is not using net/http client.
intel-microcode 3.20240514.1~deb12u1 Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-24853 high False Positive 24.10.2 Link Requires local privileged access.
libxml2 2.9.14+dfsg-1.3~deb12u1 An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. CVE-2024-25062 high False Positive 24.10.2 Link TrueNAS is not processing XML from attackers.
python3-cryptography 38.0.4-3 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. CVE-2024-26130 high False Positive 24.10.2 Link TrueNAS does not use cryptography package in a vulnerable way.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 high False Positive 24.10.2 Link Don't run untrusted guests.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 high False Positive 24.10.2 Link Do not run untrusted guest VMs.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 high False Positive 24.10.2 Link Do not run untrusted guest VMs.
git 1:2.39.2-1.1 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. CVE-2024-32004 high False Positive 24.10.2 Link Git not used with untrusted repositories.
git 1:2.39.2-1.1 Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. CVE-2024-32465 high False Positive 24.10.2 Link Git not used with untrusted repos.
libunbound8 1.17.1-2+deb12u2 The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. CVE-2024-33655 high False Positive 24.10.2 Link DNS resolution not used in vulnerable fashion.
stdlib go1.21.12 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. CVE-2024-34156 high False Positive 24.10.2 Link Decode not used.
stdlib go1.21.12 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. CVE-2024-34158 high False Positive 24.10.2 Link Build time issue.
krb5-user 1.20.1-2+deb12u1 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37370 high Low 24.10.2 Link No proof-of-concepts exist at this time.
bind9-dnsutils 1:9.18.24-1 Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-4076 high False Positive 24.10.2 Link Assertion failure won't cause system issue.
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. CVE-2024-4467 high False Positive 24.10.2 Link Don't use untrusted QEMU images.
libexpat1 2.5.0-1 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 high False Positive 24.10.2 Link TrueNAS doesn't use libexpat on untrusted XML.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVE-2024-45817 high False Positive 24.10.2 Link Do not run untrusted VM guests in TrueNAS.
liboath0 2.6.7-3.1 pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. CVE-2024-47191 high False Positive 24.10.2 Link TrueNAS does not use vulnerable PAM config required for this vulnerability.
libssl3 3.0.13-1~deb12u2 Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-4741 high False Positive 24.10.2 Link Vulnerable code not used in TrueNAS
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10. CVE-2024-47541 high False Positive 24.10.2 Link Library not used in vulnerable specific configuration.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVE-2024-47542 high False Positive 24.10.2 Link Library not used in vulnerable specific configuration.
libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c. The parse_lrc function calls strchr() to find the character ']' in the string line. The pointer returned by this call is then passed to g_strdup(). However, if the string line does not contain the character ']', strchr() returns NULL, and a call to g_strdup(start + 1) leads to a null pointer dereference. This vulnerability is fixed in 1.24.10. CVE-2024-47835 high False Positive 24.10.2 Link Library not used in vulnerable specific configuration.
proftpd-core 1.3.8+dfsg-4+deb12u3 In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql. CVE-2024-48651 high False Positive 24.10.2 Link proftpd not used with mod_sql
iperf3 3.12-1+deb12u1 iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function. CVE-2024-53580 high False Positive 24.10.2 Link Requires iperf use; no escalation
python3-jinja2 3.1.2-1 Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5. CVE-2024-56201 high False Positive 24.10.2 Link Requires attacker control of template
python3-jinja2 3.1.2-1 Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5. CVE-2024-56326 high False Positive 24.10.2 Link Requires attacker control of template
grub-common 2.99-9 GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. CVE-2024-56737 high False Positive 24.10.2 Link Requires HFS use
libssl3 3.0.13-1~deb12u2 Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-6119 high False Positive 24.10.2 Link libssl not used for TLS client certificate checking
python3-pkg-resources 66.1.1-1 A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 high False Positive 24.10.2 Link setuptools not used at runtime
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape. CVE-2024-6519 high False Positive 24.10.2 Link QEMU not used for LSI HBA emulation.
libnss3 2:3.87.1-1 When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. CVE-2024-6609 high False Positive 24.10.2 Link Firefox and Thunderbird not available on system.
libgtk-3-0 3.24.38-2~deb12u1 A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. CVE-2024-6655 high False Positive 24.10.2 Link GTK applications not reachable from TrueNAS internals.
libtiff6 4.5.0-6+deb12u1 A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. CVE-2024-7006 high False Positive 24.10.2 Link libtiff not exposed to forced memory failures
libnbd0 1.14.2-1 A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. CVE-2024-7383 high False Positive 24.10.2 Link libnbd not used in vulnerable fashion
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. CVE-2024-7409 high False Positive 24.10.2 Link qemu not used in vulnerable fashion
qemu-block-extra 1:7.2+dfsg-7+deb12u6 A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. CVE-2024-7730 high False Positive 24.10.2 Link Do not run untrusted VM guests.
gitpython 3.1.30 Untrusted search path under some conditions on Windows allows arbitrary code execution GHSA-2mqj-m65w-jghx high False Positive 24.10.2 Link Windows vulnerability.
cryptography 38.0.4 Python Cryptography package vulnerable to Bleichenbacher timing oracle attack GHSA-3ww4-gg4f-jr7f high False Positive 24.10.2 Link Don't use RSA keys going forward. TrueNAS does not choose RSA for crypto keys.
pillow 9.4.0 Pillow buffer overflow vulnerability GHSA-44wm-f244-xhp3 high False Positive 24.10.2 Link Pillow not installed.
pillow 9.4.0 Bundled libwebp in Pillow vulnerable GHSA-56pw-mpj4-fxww high False Positive 24.10.2 Link Pollow code not reachable for untrusted images.
aiohttp 3.8.5 aiohttp is vulnerable to directory traversal GHSA-5h86-8mv2-jq9f high False Positive 24.10.2 Link aiohttp not used in vulnerable fashion
aiohttp 3.8.5 aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests GHSA-5m98-qgg9-wh84 high False Positive 24.10.2 Link aiohttp not used for arbitrary POST requesrts.
cryptography 38.0.4 cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override GHSA-6vqw-3v5j-54x4 high False Positive 24.10.2 Link cryptography not called with unmatching certs and keys.
pillow 9.4.0 Pillow Denial of Service vulnerability GHSA-8ghj-p4vj-mr35 high False Positive 24.10.2 Link Pillow not used for arbitrary image processing.
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 otelgrpc DoS vulnerability due to unbound cardinality metrics GHSA-8pgv-569h-w5rw high False Positive 24.10.2 Link DoS not reachable in TrueNAS code.
asyncssh 2.13.2 AsyncSSH Rogue Session Attack GHSA-c35q-ffpf-5qpm high False Positive 24.10.2 Link asyncssh not used in vulnerable fashion
setuptools 66.1.1 setuptools vulnerable to Command Injection via package URL GHSA-cx63-2mw6-8hw5 high False Positive 24.10.2 Link setuptools not used for untrusted packages.
pycryptodomex 3.11.0 PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption GHSA-j225-cvw7-qrx7 high False Positive 24.10.2 Link OAEP decrytption not used internally in TrueNAS.
pillow 9.4.0 libwebp: OOB write in BuildHuffmanTable GHSA-j7hp-h8jx-5ppr high False Positive 24.10.2 Link Pillow not used for untrusted image processing.
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability in the command line interface GHSA-jrwr-5x3p-hvc3 high False Positive 24.10.2 Link markdown not used in vulnerable fashion.
urllib3 1.26.12 `Cookie` HTTP header isn't stripped on cross-origin redirects GHSA-v845-jxx5-vc9f high False Positive 24.10.2 Link urllib not used in vulnerable fashion
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability GHSA-vrjv-mxr7-vjf8 high False Positive 24.10.2 Link markdown not used in vulnerable fashion.
golang.org/x/net v0.17.0 Non-linear parsing of case-insensitive content in golang.org/x/net/html GHSA-w32m-9786-jp63 high False Positive 24.10.2 Link Library not used in vulnerable fashion
gitpython 3.1.30 GitPython untrusted search path on Windows systems leading to arbitrary code execution GHSA-wfm5-v35h-vwf4 high False Positive 24.10.2 Link Windows vulnerability.
cryptography 38.0.4 Vulnerable OpenSSL included in cryptography wheels GHSA-x4qr-2fvf-3mr5 high False Positive 24.10.2 Link Not building from from supplied wheels.
certifi 2022.9.24 Removal of e-Tugra root certificate GHSA-xqr8-7jwr-rhp7 high False Positive 24.10.2 Link External certificate issue.
dnsmasq-base 2.89-1 The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 unknown False Positive 24.10.2 Link dnsmasq not used for DNSSEC in TrueNAS
stdlib go1.21.6 If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. CVE-2024-24785 unknown False Positive 24.10.2 Link go stdlib not used to parse untrusted JSON
libssl3 3.0.13-1~deb12u2 Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. CVE-2024-2511 unknown False Positive 24.10.2 Link Requires non-default TLS server config.
iperf3 3.12-1+deb12u1 iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. CVE-2024-26306 unknown False Positive 24.10.2 Link iperf3 server not used.
krb5-user 1.20.1-2+deb12u1 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. CVE-2024-26462 unknown False Positive 24.10.2 Link Memory leak.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html CVE-2024-31142 unknown False Positive 24.10.2 Link Do not run untrusted guest VMs.
librados2 16.2.11+ds-2 CVE-2024-48916 unknown False Positive 24.10.2 Link Qemu dependency
grub-common 2.99-9 grub2 allowed attackers with access to the grub shell to access files on the encrypted disks. CVE-2024-49504 unknown False Positive 24.10.2 Link Grub shell not accessible
git 1:2.39.2-1.1 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. CVE-2024-50349 unknown False Positive 24.10.2 Link Git not used in vulnerable fashion
git 1:2.39.2-1.1 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. CVE-2024-52006 unknown False Positive 24.10.2 Link Git not used in vulnerable fashion
rclone 1.67.1 Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2. CVE-2024-52522 unknown False Positive 24.10.2 Link rclone not used with --links and --metadata options
libc-bin 2.36-9+deb12u7 When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. CVE-2025-0395 unknown False Positive 24.10.2 Link Unsafe assert messages not being used.
busybox 1.35.0 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. CVE-2022-48174 critical False Positive 25.04.0 Link TrueNAS does not make use of busybox in a way that can be reached by this exploit.
rsync 3.2.7-1 A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. CVE-2024-12084 critical False Positive 25.04.0 Link rsync is not used in daemon mode within TrueNAS SCALE.
stdlib go1.21.6 The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 critical False Positive 25.04.0 Link TrueNAS doesn't use Go's stdlib for IPv6 IP address checks.
wget 1.21.3-1+b2 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. CVE-2024-38428 critical False Positive 25.04.0 Link wget is not used on untrusted URLs.
pillow 9.4.0 Arbitrary Code Execution in Pillow GHSA-3f63-hfp8-52jq critical False Positive 25.04.0 Link Pillow code not reachable for arbitrary images.
gitpython 3.1.30 GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments GHSA-pr76-5cm5-w9cj critical False Positive 25.04.0 Link TrueNAS doesn't use GitPython with untrusted git repos.
golang.org/x/crypto v0.17.0 Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto GHSA-v778-237x-gjrc critical False Positive 25.04.0 Link Functions not in use.
linux-kernel 6.12.15-debug+truenas The embedded Linux kernel in certain Sun-Brocade SilkWorm switches before 20070516 does not properly handle a situation in which a non-root user creates a kernel process, which allows attackers to cause a denial of service (oops and device reboot) via unspecified vectors. CVE-2007-2764 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress. CVE-2008-4609 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd. CVE-2016-3699 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas An elevation of privilege vulnerability exists in the NVIDIA GPU driver (gm20b_clk_throt_set_cdev_state), where an out of bound memory read is used as a function pointer could lead to code execution in the kernel.This issue is rated as high because it could allow a local malicious application to execute arbitrary code within the context of a privileged process. Product: Android. Version: N/A. Android ID: A-34705430. References: N-CVE-2017-6264. CVE-2017-6264 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation. CVE-2018-10902 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients. CVE-2018-14625 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. CVE-2019-14899 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196. CVE-2020-16119 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. CVE-2020-1749 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2020-27815 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation. CVE-2021-20194 high False Positive 25.04.0 Link
libopenjp2-7 2.5.0-2 A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. CVE-2021-3575 high False Positive 25.04.0 Link TrueNAS does not use libopenjp for processing untrusted images.
linux-kernel 6.12.15-debug+truenas A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges. CVE-2021-3864 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos. CVE-2022-0400 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero. CVE-2022-1247 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859 CVE-2022-2327 high False Positive 25.04.0 Link
busybox 1.35.0 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. CVE-2022-28391 high False Positive 25.04.0 Link TrueNAS does not use BusyBox to run netstat.
busybox 1.35.0 A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. CVE-2022-30065 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032. CVE-2022-3534 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability. CVE-2022-3566 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935. CVE-2022-3636 high False Positive 25.04.0 Link
firmware-amd-graphics 20240709-2~bpo12+1 Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2022-38076 high False Positive 25.04.0 Link WiFi firmware not used in TrueNAS.
qemu-block-extra 1:7.2+dfsg-7+deb12u12 An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVE-2022-3872 high False Positive 25.04.0 Link Do not run untrusted guest VMs.
libgfapi0 10.3-5 In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. CVE-2022-48340 high False Positive 25.04.0 Link Gluster FS not used internally.
libxml2 2.9.14+dfsg-1.3~deb12u1 xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. CVE-2022-49043 high False Positive 25.04.0 Link Qemu dependency.
qemu-block-extra 1:7.2+dfsg-7+deb12u12 A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. CVE-2023-1386 high False Positive 25.04.0 Link Do not run untrusted guest VMs.
libharfbuzz0b 6.0.0+dfsg-3 hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. CVE-2023-25193 high False Positive 25.04.0 Link TrueNAS is not using harfbuzz to display attacker chosen strings.
vim-common 2:9.0.1378-2 Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. CVE-2023-2610 high False Positive 25.04.0 Link Only vulnerable if untrusted file is run in script mode.
ipmctl 03.00.00.0468-1 Improper access control in some Intel(R) Optane(TM) PMem software before versions 01.00.00.3547, 02.00.00.3915, 03.00.00.0483 may allow an athenticated user to potentially enable escalation of privilege via local access. CVE-2023-27517 high False Positive 25.04.0 Link
curl 7.88.1 A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. CVE-2023-27533 high False Positive 25.04.0 Link
curl 7.88.1 A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. CVE-2023-27534 high False Positive 25.04.0 Link
curl 7.88.1 A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed. CVE-2023-28319 high False Positive 25.04.0 Link
python3-dnspython 2.3.0-1 eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. CVE-2023-29483 high False Positive 25.04.0 Link TrueNAS does not use dnspython for arbitrary DNS resolution
libldap-2.5-0 2.5.13+dfsg-5 A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. CVE-2023-2953 high Low 25.04.0 Link iX considers risk to be low. There are no known exploits of this null pointer bug.
linux-kernel 6.12.15-debug+truenas Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2023-3079 high False Positive 25.04.0 Link
libperl5.36 5.36.0-7+deb12u1 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 high False Positive 25.04.0 Link CPAN is not used in a vulnerable way.
sysstat 12.6.1-1 sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. CVE-2023-33204 high False Positive 25.04.0 Link sysstat is not used in a vulnerable way.
intel-microcode 3.20241112.1~deb12u1 Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2023-34440 high High 25.04.0 Link Only applies to certain CPUs. Check this link for more information: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
linux-kernel 6.12.15-debug+truenas A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system. CVE-2023-3640 high False Positive 25.04.0 Link
curl 7.88.1 When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory. CVE-2023-38039 high False Positive 25.04.0 Link
busybox-static 1:1.35.0-4+b3 An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. CVE-2023-39810 high False Positive 25.04.0 Link Busybox not used for CPIO
sudo 1.9.13p3-1+deb12u1 Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 high Low 25.04.0 Link Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS.
intel-microcode 3.20241112.1~deb12u1 Improper input validation in UEFI firmware for some Intel(R) processors may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2023-43758 high High 25.04.0 Link Only some CPUs are vulnerable Check this link for more information: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
nginx 1.22.1 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 high Low 25.04.0 Link Do not expost your TrueNAS HTTP ports to the internet.
ovmf 2022.11-6+deb12u1 EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. CVE-2023-45236 high False Positive 25.04.0 Link VM exploit: Do not run untrusted VMs on your TrueNAS.
ovmf 2022.11-6+deb12u1 EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. CVE-2023-45237 high False Positive 25.04.0 Link VM exploit: Do not run untrusted VMs on your TrueNAS.
stdlib go1.21.6 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 high False Positive 25.04.0 Link Go's stdlib not used for serving HTTP.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. CVE-2023-4738 high False Positive 25.04.0 Link Requires obscure vim use. No known exploit.
vim-common 2:9.0.1378-2 Use After Free in GitHub repository vim/vim prior to 9.0.1858. CVE-2023-4752 high False Positive 25.04.0 Link Requires vim use; no escalation
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. CVE-2023-4781 high False Positive 25.04.0 Link Requires vim use; no escalation
proftpd 1.3.8 make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics. CVE-2023-51713 high False Positive 25.04.0 Link Original report not valid.
p7zip 16.02+dfsg-8 The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. CVE-2023-52168 high False Positive 25.04.0 Link p7zip not used internally.
libtiff6 4.5.0-6+deb12u2 An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. CVE-2023-52355 high False Positive 25.04.0 Link libtiff not used internally.
libexpat1 2.5.0-1+deb12u1 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 high False Positive 25.04.0 Link Unreachable denial of service.
vim-common 2:9.0.1378-2 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. CVE-2023-5344 high False Positive 25.04.0 Link Requires vim use; no escalation
linux-kernel 6.12.15-debug+truenas A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. CVE-2023-6270 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. CVE-2023-6535 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. CVE-2023-6610 high False Positive 25.04.0 Link
bind9-dnsutils 1:9.18.28-1~deb12u2 It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. CVE-2024-11187 high False Positive 25.04.0 Link
rsync 3.2.7-1 A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. CVE-2024-12085 high False Positive 25.04.0 Link Rsync not used in daemon mode.
bind9-dnsutils 1:9.18.28-1~deb12u2 Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. CVE-2024-12705 high False Positive 25.04.0 Link
vim-common 2:9.0.1378-2 Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 high False Positive 25.04.0 Link Requires vim use; no escalation
curl 7.88.1 When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 high False Positive 25.04.0 Link TrueNAS does not use libcurl in a vulnerable way.
intel-microcode 3.20241112.1~deb12u1 Improper input validation in XmlCli feature for UEFI firmware for some Intel(R) processors may allow privileged user to potentially enable escalation of privilege via local access. CVE-2024-24582 high False Positive 25.04.0 Link
stdlib go1.21.6 The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. CVE-2024-24784 high False Positive 25.04.0 Link TrueNAS does not use ParseAddressList
stdlib go1.21.6 The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. CVE-2024-24791 high False Positive 25.04.0 Link TrueNAS is not using net/http client.
libxml2 2.9.14+dfsg-1.3~deb12u1 An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. CVE-2024-25062 high False Positive 25.04.0 Link TrueNAS is not processing XML from attackers.
intel-microcode 3.20241112.1~deb12u1 Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-28127 high High 25.04.0 Link Only some CPUs are vulnerable. Check this link for more information: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
intel-microcode 3.20241112.1~deb12u1 Improper input validation in UEFI firmware CseVariableStorageSmm for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2024-29214 high High 25.04.0 Link Only some CPUs are vulnerable. Check this link for more information: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html CVE-2024-31142 high False Positive 25.04.0 Link Do not run untrusted guest VMs.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 high False Positive 25.04.0 Link Don't run untrusted guests.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 high False Positive 25.04.0 Link Do not run untrusted guest VMs.
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 high False Positive 25.04.0 Link Do not run untrusted guest VMs.
libunbound8 1.17.1-2+deb12u2 The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. CVE-2024-33655 high False Positive 25.04.0 Link DNS resolution not used in vulnerable fashion.
stdlib go1.21.6 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. CVE-2024-34156 high False Positive 25.04.0 Link Decode not used.
stdlib go1.21.6 Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. CVE-2024-34158 high False Positive 25.04.0 Link Build time issue.
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_rx_work syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received packet from ndev->rx_q. It should be validated header size, payload size and total packet size before processing the packet. If an invalid packet is detected, it should be silently discarded. CVE-2024-38381 high False Positive 25.04.0 Link
python 3.11.9 The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. CVE-2024-4032 high False Positive 25.04.0 Link Address typing not relied upon for security issues.
grub-common 2.99-9 A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass. CVE-2024-45782 high False Positive 25.04.0 Link
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVE-2024-45817 high False Positive 25.04.0 Link Do not run untrusted VM guests in TrueNAS.
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: drm/xe/tracing: Fix a potential TP_printk UAF The commit afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format") exposes potential UAFs in the xe_bo_move trace event. Fix those by avoiding dereferencing the xe_mem_type_to_name[] array at TP_printk time. Since some code refactoring has taken place, explicit backporting may be needed for kernels older than 6.10. CVE-2024-49570 high False Positive 25.04.0 Link
jq 1.6 decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits). CVE-2024-53427 high False Positive 25.04.0 Link
iperf3 3.12-1+deb12u1 iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function. CVE-2024-53580 high False Positive 25.04.0 Link Requires iperf use; no escalation
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: bsg: Set bsg_queue to NULL after removal Currently, this does not cause any issues, but I believe it is necessary to set bsg_queue to NULL after removing it to prevent potential use-after-free (UAF) access. CVE-2024-54458 high False Positive 25.04.0 Link
libxslt1.1 1.1.35-1 xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. CVE-2024-55549 high False Positive 25.04.0 Link
amd64-microcode 3.20240820.1~deb12u1 Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP. CVE-2024-56161 high High 25.04.0 Link This issue is CPU dependent; check this URL for more information: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
libxml2 2.9.14+dfsg-1.3~deb12u1 libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. CVE-2024-56171 high False Positive 25.04.0 Link
grub-common 2.99-9 GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. CVE-2024-56737 high False Positive 25.04.0 Link Requires HFS use
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different radio, it gets deleted from that radio through a call to ath12k_mac_unassign_link_vif(). This action frees the arvif pointer. Subsequently, there is a check involving arvif, which will result in a read-after-free scenario. Fix this by moving this check after arvif is again assigned via call to ath12k_mac_assign_link_vif(). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 CVE-2024-57995 high False Positive 25.04.0 Link
python 3.11.9 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. CVE-2024-6232 high False Positive 25.04.0 Link libpython not used with regular expressions in tar file processing.
qemu-block-extra 1:7.2+dfsg-7+deb12u12 A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape. CVE-2024-6519 high False Positive 25.04.0 Link QEMU not used for LSI HBA emulation.
libnbd0 1.14.2-1 A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. CVE-2024-7383 high False Positive 25.04.0 Link libnbd not used in vulnerable fashion
python 3.11.9 There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. CVE-2024-7592 high False Positive 25.04.0 Link CPython not used in vulnerable fashion.
qemu-block-extra 1:7.2+dfsg-7+deb12u12 A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. CVE-2024-7730 high False Positive 25.04.0 Link Do not run untrusted VM guests.
python 3.11.9 There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. CVE-2024-8088 high False Positive 25.04.0 Link zipfile code not used to parse untrusted zip files.
libexpat1 2.5.0-1+deb12u1 A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVE-2024-8176 high Low 25.04.0 Link TrueNAS code doesn't use libexpat in an unsafe fashion.
python 3.11.9 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. CVE-2024-9287 high False Positive 25.04.0 Link
libc-bin 2.36-9+deb12u9 When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. CVE-2025-0395 high False Positive 25.04.0 Link Unsafe assert messages not being used.
grub-common 2.99-9 A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grub_strcpy() function. During this step, it fails to consider the environment variable length when allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue may result in remote code execution through the same network segment grub is searching for the boot information, which can be used to by-pass secure boot protections. CVE-2025-0624 high False Positive 25.04.0 Link Network boot is not used.
grub-common 2.99-9 A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections. CVE-2025-0678 high False Positive 25.04.0 Link TrueNAS does not boot untrusted file systems.
curl 7.88.1 When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. CVE-2025-0725 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: net/mlx5: HWS, change error flow on matcher disconnect Currently, when firmware failure occurs during matcher disconnect flow, the error flow of the function reconnects the matcher back and returns an error, which continues running the calling function and eventually frees the matcher that is being disconnected. This leads to a case where we have a freed matcher on the matchers list, which in turn leads to use-after-free and eventual crash. This patch fixes that by not trying to reconnect the matcher back when some FW command fails during disconnect. Note that we're dealing here with FW error. We can't overcome this problem. This might lead to bad steering state (e.g. wrong connection between matchers), and will also lead to resource leakage, as it is the case with any other error handling during resource destruction. However, the goal here is to allow the driver to continue and not crash the machine with use-after-free error. CVE-2025-21751 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-21756 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: extend RCU protection in igmp6_send() igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection. CVE-2025-21759 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF. CVE-2025-21760 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() ovs_vport_cmd_fill_info() can be called without RTNL or RCU. Use RCU protection and dev_net_rcu() to avoid potential UAF. CVE-2025-21761 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: arp: use RCU protection in arp_xmit() arp_xmit() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. CVE-2025-21762 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: neighbour: use RCU protection in __neigh_notify() __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. CVE-2025-21763 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF. CVE-2025-21764 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch. CVE-2025-21782 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). CVE-2025-21785 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: workqueue: Put the pwq after detaching the rescuer from the pool The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and remove detach_completion") adds code to reap the normal workers but mistakenly does not handle the rescuer and also removes the code waiting for the rescuer in put_unbound_pool(), which caused a use-after-free bug reported by Cheung Wall. To avoid the use-after-free bug, the pool’s reference must be held until the detachment is complete. Therefore, move the code that puts the pwq after detaching the rescuer from the pool. CVE-2025-21786 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. CVE-2025-21791 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel. To fix this, a 0 element was added at the end of the array to break the for loop. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad CVE-2025-21794 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0xb5/0x170 Modules linked in: CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted 6.12.0-rc6-00079-g04ae226af01f-dirty #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb5/0x170 Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75 e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb cd 0f b6 1d 8a3 RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380 RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56 R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0 FS: 0000000000000000(0000) GS:ffff88871ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0xb5/0x170 ? __warn+0xa5/0x140 ? refcount_warn_saturate+0xb5/0x170 ? report_bug+0x1b1/0x1e0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? tick_nohz_tick_stopped+0x1e/0x40 ? refcount_warn_saturate+0xb5/0x170 ? refcount_warn_saturate+0xb5/0x170 nfs3svc_release_getacl+0xc9/0xe0 svc_process_common+0x5db/0xb60 ? __pfx_svc_process_common+0x10/0x10 ? __rcu_read_unlock+0x69/0xa0 ? __pfx_nfsd_dispatch+0x10/0x10 ? svc_xprt_received+0xa1/0x120 ? xdr_init_decode+0x11d/0x190 svc_process+0x2a7/0x330 svc_handle_xprt+0x69d/0x940 svc_recv+0x180/0x2d0 nfsd+0x168/0x200 ? __pfx_nfsd+0x10/0x10 kthread+0x1a2/0x1e0 ? kthread+0xf4/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... Clear acl_access/acl_default after posix_acl_release is called to prevent UAF from being triggered. CVE-2025-21796 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ================================================================== CVE-2025-21855 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must be fixed. The current code directly frees the device after calling device_add() without waiting for other kernel parts to release their references. Thus, a reference could still be held to a struct device, e.g., by sysfs, leading to potential use-after-free issues if a proper release function is not set. CVE-2025-21856 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated--- CVE-2025-21858 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. CVE-2025-21863 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for "if (user_size > size)" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 CVE-2025-21867 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK> CVE-2025-21887 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: keys: Fix UAF in key_put() Once a key's reference count has been reduced to 0, the garbage collector thread may destroy it at any time and so key_put() is not allowed to touch the key after that point. The most key_put() is normally allowed to do is to touch key_gc_work as that's a static global variable. However, in an effort to speed up the reclamation of quota, this is now done in key_put() once the key's usage is reduced to 0 - but now the code is looking at the key after the deadline, which is forbidden. Fix this by using a flag to indicate that a key can be gc'd now rather than looking at the key's refcount in the garbage collector. CVE-2025-21893 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes. CVE-2025-21919 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization. CVE-2025-21920 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. CVE-2025-21927 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, `hid_destroy_device()` uses `driver_data` when it calls `hid_ishtp_set_feature()` to power off the sensor, so freeing `driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary variable before calling `hid_destroy_device()`, and then freeing the `driver_data` after the device is destroyed. CVE-2025-21928 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() During the `rmmod` operation for the `intel_ishtp_hid` driver, a use-after-free issue can occur in the hid_ishtp_cl_remove() function. The function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(), which can lead to accessing freed memory or resources during the removal process. Call Trace: ? ishtp_cl_send+0x168/0x220 [intel_ishtp] ? hid_output_report+0xe3/0x150 [hid] hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid] ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid] hid_hw_request+0x1f/0x40 [hid] sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub] _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger] hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger] sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub] hid_device_remove+0x49/0xb0 [hid] hid_destroy_device+0x6f/0x90 [hid] ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid] hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid] ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp] ... Additionally, ishtp_hid_remove() is a HID level power off, which should occur before the ISHTP level disconnect. This patch resolves the issue by reordering the calls in hid_ishtp_cl_remove(). The function ishtp_hid_remove() is now called before hid_ishtp_cl_deinit(). CVE-2025-21929 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add "mport->net = NULL;" to avoid a use after free issue. CVE-2025-21934 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_lock If smb_lock->zero_len has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine. CVE-2025-21945 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Fix memory corruption due to incorrect parameter being passed to bio_init CVE-2025-21966 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. We don't need to manage it with linked list. The interim request could be immediately sent whenever a oplock break wait is needed. CVE-2025-21967 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128) CVE-2025-21968 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline] hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- CVE-2025-21969 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel wiphy_work before freeing wiphy A wiphy_work can be queued from the moment the wiphy is allocated and initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the rdev::wiphy_work is getting queued. If wiphy_free is called before the rdev::wiphy_work had a chance to run, the wiphy memory will be freed, and then when it eventally gets to run it'll use invalid memory. Fix this by canceling the work before freeing the wiphy. CVE-2025-21979 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ] CVE-2025-21991 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. CVE-2025-21993 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path] CVE-2025-21999 high False Positive 25.04.0 Link
linux-kernel 6.12.15-debug+truenas In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. CVE-2025-22004 high False Positive 25.04.0 Link
libxslt1.1 1.1.35-1 numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. CVE-2025-24855 high False Positive 25.04.0 Link
libxml2 2.9.14+dfsg-1.3~deb12u1 libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. CVE-2025-24928 high False Positive 25.04.0 Link
libxml2 2.9.14+dfsg-1.3~deb12u1 libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. CVE-2025-27113 high False Positive 25.04.0 Link
libfreetype6 2.12.1+dfsg-5+deb12u3 An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. CVE-2025-27363 high False Positive 25.04.0 Link
exim4-base 4.96-15+deb12u6 A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges. CVE-2025-30232 high False Positive 25.04.0 Link
liblzma5 5.4.1-0.2 XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. CVE-2025-31115 high False Positive 25.04.0 Link
gitpython 3.1.30 Untrusted search path under some conditions on Windows allows arbitrary code execution GHSA-2mqj-m65w-jghx high False Positive 25.04.0 Link Windows vulnerability.
pillow 9.4.0 Pillow buffer overflow vulnerability GHSA-44wm-f244-xhp3 high False Positive 25.04.0 Link Pillow not installed.
pillow 9.4.0 Bundled libwebp in Pillow vulnerable GHSA-56pw-mpj4-fxww high False Positive 25.04.0 Link Pollow code not reachable for untrusted images.
pillow 9.4.0 Pillow Denial of Service vulnerability GHSA-8ghj-p4vj-mr35 high False Positive 25.04.0 Link Pillow not used for arbitrary image processing.
asyncssh 2.10.1 AsyncSSH Rogue Session Attack GHSA-c35q-ffpf-5qpm high False Positive 25.04.0 Link asyncssh not used in vulnerable fashion
setuptools 66.1.1 setuptools vulnerable to Command Injection via package URL GHSA-cx63-2mw6-8hw5 high False Positive 25.04.0 Link setuptools not used for untrusted packages.
golang.org/x/crypto v0.17.0 golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange GHSA-hcg3-q754-cr77 high False Positive 25.04.0 Link
pycryptodomex 3.11.0 PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption GHSA-j225-cvw7-qrx7 high False Positive 25.04.0 Link OAEP decrytption not used internally in TrueNAS.
pillow 9.4.0 libwebp: OOB write in BuildHuffmanTable GHSA-j7hp-h8jx-5ppr high False Positive 25.04.0 Link Pillow not used for untrusted image processing.
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability in the command line interface GHSA-jrwr-5x3p-hvc3 high False Positive 25.04.0 Link markdown not used in vulnerable fashion.
github.com/golang-jwt/jwt/v4 v4.5.0 jwt-go allows excessive memory allocation during header parsing GHSA-mh63-6h87-95cp high False Positive 25.04.0 Link
urllib3 1.26.12 `Cookie` HTTP header isn't stripped on cross-origin redirects GHSA-v845-jxx5-vc9f high False Positive 25.04.0 Link urllib not used in vulnerable fashion
markdown-it-py 2.1.0 markdown-it-py Denial of Service vulnerability GHSA-vrjv-mxr7-vjf8 high False Positive 25.04.0 Link markdown not used in vulnerable fashion.
gitpython 3.1.30 GitPython untrusted search path on Windows systems leading to arbitrary code execution GHSA-wfm5-v35h-vwf4 high False Positive 25.04.0 Link Windows vulnerability.
certifi 2022.9.24 Removal of e-Tugra root certificate GHSA-xqr8-7jwr-rhp7 high False Positive 25.04.0 Link External certificate issue.
libperl5.36 5.36.0-7+deb12u1 A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. CVE-2024-56406 unknown False Positive 25.04.0 Link
libxencall1 4.17.3+10-g091466ba55-1~deb12u1 CVE-2025-1713 unknown False Positive 25.04.0 Link
stdlib go1.21.6 The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. CVE-2025-22871 unknown False Positive 25.04.0 Link
krb5-user 1.20.1-2+deb12u2 CVE-2025-24528 unknown False Positive 25.04.0 Link
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low M30 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low M40 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low M50 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low M60 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R10 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R20 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R20A Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R20B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R40 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R50 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R50B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
BMC IPMI firmware The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. CVE-2013-4786 High Low R50BM Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R10 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R10 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R10 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R10 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R10 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R10 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R10 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R20 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R20 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R20 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R20 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R20 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R20 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R20 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R20A N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R20A N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R20A Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R20A Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R20A N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R20A N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R20A Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R40 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R40 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R40 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R40 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R40 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R40 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R40 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R50 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R50 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R50 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R50 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R50 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R50 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (1.71.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R50 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R20B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R20B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R20B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R20B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R20B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R20B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R20B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R50B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R50B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R50B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R50B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R50B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R50B N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R50B Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive R50BM N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive R50BM N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low R50BM Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low R50BM Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive R50BM N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive R50BM N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low R50BM Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive M30 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive M30 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low M30 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low M30 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive M30 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive M30 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low M30 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive M40 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive M40 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low M40 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low M40 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive M40 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive M40 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low M40 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive M50 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive M50 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low M50 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low M50 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive M50 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive M50 (G1/G2/G3) N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low M50 (G1/G2/G3) Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. CVE-2023-40289 False Positive False Positive M60 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40284 False Positive False Positive M60 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40287 High Low M60 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. CVE-2023-40288 High Low M60 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. CVE-2023-40290 False Positive False Positive M60 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40285 False Positive False Positive M60 N/A Link N/A to iX custom FW
Supermicro BMC IPMI firmware (6.74.11) An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. CVE-2023-40286 High Low M60 Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25636 High Low Mini E Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25636 High Low Mini E+ Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25636 High Low Mini X Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25637 High Low Mini E Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25637 High Low Mini E+ Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25637 High Low Mini X Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25638 High Low Mini E Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25638 High Low Mini E+ Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
ASRock IPMI Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. ZDI-CAN-25638 High Low Mini X Not yet resolved Link As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system.
TrueNAS SCALE Logo
TrueNAS
CommunityTM | EnterpriseTM
Security TrueCommand Logo
TrueCommand®
Security TrueNAS Enterprise Logo
TrueNAS® | Enterprise
Hardware Solutions
Security TrueNAS Core Logo
TrueNAS
CORETM | EnterpriseTM
Security